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Abstract — In this paper we discuss the ability of channel 
codes to enhance cryptographic secrecy. Toward that end, we 
present the secrecy metric of degrees of freedom in an attacker's 
knowledge of the cryptogram, which is similar to equivocation. 
Using this notion of secrecy, we show how a specific practical 
channel coding system can be used to hide information about the 
ciphertext, thus increasing the difficulty of cryptographic attacks. 
The system setup is the wiretap channel model where transmitted 
data traverse through independent packet erasure channels 
with public feedback for authenticated ARQ (Automatic Repeat 
reQuest). The code design relies on puncturing nonsystematic 
low-density parity-check codes with the intent of inflicting an 
eavesdropper with stopping sets in the decoder. Furthermore, 
the design amplifies errors when stopping sets occur such that a 
receiver must guess all the channel-erased bits correctly to avoid 
an expected error rate of one half in the ciphertext. We extend 
previous results on the coding scheme by giving design criteria 
that reduces the effectiveness of a maximum-likelihood attack to 
that of a message-passing attack. We further extend security 
analysis to models with multiple receivers and collaborative 
attackers. Cryptographic security is enhanced in all these cases 
by exploiting properties of the physical-layer. The enhancement 
is accurately presented as a function of the degrees of freedom 
in the eavesdropper's knowledge of the ciphertext, and is even 
shown to be present when eavesdroppers have better channel 
. quality than legitimate receivers. 

! I. Introduction 

, A. Cryptography and the Physical Layer 

MAny cryptosystems in place today measure security 
computationally. If all known attacks are computation- 
ally intractable, then the system is deemed to be secure. The 
chief failings of this notion of security are the assumptions 
placed on the attacker First, it is assumed that the attacker 
has limited resources to confront the problem, even if those 
resources are state of the art. Second, it is assumed that the 
attacker uses attacks which are publicly known, even though 
a better attack may exist. Claude Shannon addressed these 
shortcomings by defining the notion of perfect secrecy 
If a secret message M is encrypted into a cryptogram E 
using a secret key K, then perfect secrecy is achieved if 
H{M\E) = H{M). Shannon also proved that perfect secrecy 
is only attainable if the key is at least as long as M, which is 
clearly impractical. However, perfect secrecy also makes the 
limiting assumption that an attacker has access to an error-free 
cryptogram, which may not be the case in practice. 

Aaron Wyner later introduced the wiretap channel model, 
along with a new condition for secrecy [2 |. Let a message M 
of length k be encoded into a codeword X of length n, and 
then transmitted. The rate of the encoder is k/n. A legitimate 



receiver obtains Y over the main channel denoted and an 
eavesdropper obtains Z over a wiretap channel denoted Q^. 
The secrecy condition is 
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Wyner showed that for rates up to the secrecy capacity Cs, 
encoders and decoders exist which can satisfy ([T) and also 
achieve arbitrarily low probability of error for intended parties 
when X ^ Y ^ Z is a Markov chain. This is known as the 
degraded wiretap channel model. Csiszar and Komer [3] later 
generalized these results removing the degraded restriction, but 
still showing that Cs > 0, only if Q,„ is less noisy than Q^. 

Understanding of the theoretically achievable secrecy rates 
of communication systems has continued to grow, as outlined 
in e.g. H, ||5l, and 161. But another of the main challenges 
in this area has been the design of practical systems which 
achieve the secrecy rates indicated by the theory. These 
systems exploit noise in the channel at the physical layer of 
the communications system. Practical designs maximizing the 
information-theoretic secrecy are not trivial. Most currently 
suffer from one or more of several drawbacks. For instance, 
code designs are oftentimes a function of specific channel pa- 
rameters (channel state information or CSI) seen by legitimate 
receivers and eavesdroppers. Without accurate CSI, the results 
of these systems are not guaranteed; therefore, channels with 
varying or unknowable parameters present design issues. Other 
codes offer secrecy for only specific types of channels, or 
only when the eavesdropper's channel is degraded. Still other 
designs are impractical in the real world due to design com- 
plexity, necessary side information for legitimate decoding, or 
other limitations. Finally, the most glaring shortcoming of any 
scheme which derives security from the physical layer of a 
communications system, is that if an eavesdropper has a better 
channel than a legitimate receiver, the scheme is likely to fail. 
The extreme case is when an eavesdropper has a noise-free 
channel and Z ~ X. Clearly this necessitates any physical- 
layer security scheme to be coupled with some other protection 
in order to maintain secrecy in the worst case. 

B. Main Contributions 

The intent of this paper is to develop the notion of com- 
bined security due to cryptography and channel coding, thus 
providing a more complete security solution. To accomplish 
this goal, we cast coding into a cryptographic enhancement 
role, and seek to prevent an attacker from obtaining a noise- 
free cryptogram using channel coding. We present a new 
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security metric for physical-layer schemes; namely, degrees 
of freedom D in an attacker's knowledge of the cryptogram. 
As a comparison, if bits in M are uniformly zero or one 
and independent and identically distributed (i.i.d.), then perfect 
secrecy implies D — k.ln fact we show that H{X\Z) = E[D] 
for a specific case. Our notion of physical-layer security using 
D addresses the effectiveness of attacks on a cryptographic 
layer To be more precise, our notion of security answers the 
practical question, how does the complexity of an attack on 
the cryptography change without perfect knowledge of the 
cryptogram? 

It has been shown previously using correlation attacks on 
stream ciphers that certain cryptographic attacks are still pos- 
sible even on noisy cryptograms, although a threshold on the 
noise level exists such that errors beyond the threshold cause 
the attack to fail Q, iH, ID, (TOl. Practical schemes should 
provide enough confusion to exploit even the smallest amount 
of noise in an eavesdropper's received data to cause failure 
of these attacks on the cryptographic layer Such systems 
should be robust to varying channel parameters, imperfect 
CSI at the encoder, and nondegraded system models. In fact, 
good designs still offer security enhancement to cryptography, 
even when attackers have an advantage in signal quality over 
legitimate receivers. Of course, all of this must be done while 
guaranteeing reliable communication between friendly parties. 

Therefore, along with the new metric, this paper also 
analyzes combined cryptographic and physical-layer security 
in a practical coding scheme using degrees of freedom to 
characterize security. In fll |, this scheme was shown to inflict 
a passive eavesdropper using a message-passing decoder with 
stopping sets with very high probability when a legitimate 
receiver and an eavesdropper view transmitted data through 
statistically independent packet erasure channels (PEC). The 
scheme relies on a nonsystematic low-density parity-check 
(LDPC) code design, with puncturing and interleaving steps 
in the encoder. Legitimate receivers are given access to an 
authenticated public feedback channel for Automatic Repeat- 
reQuest (ARQ). In this paper, we broaden the security analysis 
of the scheme given in [11 J by addressing the following points. 

• Degrees of Freedom: The system security is analyzed 
using the new metric. Computational secrecy is shown 
to grow exponentially with E[D], which is also shown to 
be equal to H{X\Z) for the prescribed encoder 

• Encoder Description: End-to-end details of the encoder 
and decoder are provided, as well as simulation results 
which match theoretical expectations. 

• Optimization: Design criteria are specified to maximize 
the degrees of freedom in the maximum-likelihood attack 
as well as the message-passing attack. This involves 
comparison of irregular LDPC codes with regular LDPC 
codes. 

• Extensions: Security results are made general so as to 
apply to multiple receivers and multiple collaborative 
attackers. Ultimately, bounds on the increase in computa- 
tional secrecy of an underlying cryptosystem are specified 
when the physical-layer encoding system is employed. 

Ultimately, this scheme has very few design constraints, offers 



enhanced cryptographic secrecy over a wide range of CSI 
parameters, and requires no secret key and no rate reduction 
in data transmission. 

C. Related Works 

Our encoder makes use of fundamental practical design 
ideas which have been shown to offer secrecy. For example, 
our encoder employs nonsystematic LDPC codes in order 
to hide information bits and magnify coding errors. Secrecy 
properties of these codes have been studied in fT2l. We further 
employ intentional puncturing of encoded bits, a technique 
shown to offer security in [iT3l . llT4l . Our scheme punctures 
with the goal of inducing stopping sets in an eavesdropper's 
received data. As a result, every transmitted bit is crucial for 
decoding. Our intent is to punish an eavesdropper for every 
missing piece of information. Finally, in order to distribute 
erasures throughout the data set, the encoder interleaves coded 
bits among several transmitted packets. Similar ideas of in- 
terleaving coded symbols have been used in ifTSl . |fT6l in 
conjunction with wiretap codes developed in ifTTl to offer 
secrecy to various systems. The works lITSl . lfT9l give results 
for ARQ and feedback wiretap systems. 

It can be argued that the first practical secrecy coding 
scheme was presented by Ozarow and Wyner in an extension 
of the original wiretap paper [41. Here the general idea 
of partitioning a group code into cosets to achieve secrecy 
was first presented. This technique was shown to apply to 
LDPC codes much more recently in [TTl, and achieves the 
secrecy condition in ([TJ for noiseless main channels when 
the wiretap channel is either a binary erasure channel (BEC) 
or a binary symmetric channel (BSC). This work in LDPC 
codes for secrecy has been furthered in ll20l . where large- 
girth LDPC codes are considered, and shown to meet the 
secrecy constraint in ([T) for noiseless main channel and BEC 
wiretap channel. A stronger notion of secrecy than (H) is also 
achieved for these codes in certain cases. Finally, it should 
be noted that Arikan's polar codes [21] can offer secrecy for 
general symmetric channels, although code construction is an 
issue for non-erasure channels. Schemes have been presented 
in I22] and [[23 1 which achieve the secrecy capacity under the 
condition in ([T]i, although these schemes only offer secrecy 
for degraded wiretap channels. Furthermore, design of these 
codes is heavily contingent on perfect CSI at the encoder 

Although our codes can be shown to achieve ^ only 
under certain puncturing criteria, the main contribution of the 
coding scheme presented here is the cryptographic security 
enhancements shown using degrees of freedom as a security 
metric. Our scheme is robust against imperfect CSI, and 
for that matter, undetected eavesdroppers. According to our 
knowledge, it is also the first practical secrecy scheme which 
can operate on the general wiretap channel (nondegraded case) 
when both Qm and are erasure channels. 

The rest of the paper is outlined as follows. In Section 
nil we discuss the system model for which our encoder is 
designed, which is an adaptation of the wiretap channel model 
from [2|. The precise definition of degrees of freedom is also 
given. Section Uni addresses background information regarding 
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Fig. 1. Wiretap cliannel model with feedback assuming packet erasure 
channels for both the main channel Qm and the wiretap channel Q„. 

LDPC codes and stopping sets. Our novel encoder and decoder 
designs are presented in Sections HVjandlVl respectively. Anal- 
ysis of the security inherent in the system is then completed 
in Section [VT] for various scenarios, ultimately culminating 
in the most general case which encompasses multiple users 
and collaborating eavesdroppers. Finally, bounds regarding 
enhancements of cryptographic security are presented in Sec- 
tion IVIII along with end-to-end simulations of the system. 
Conclusions are provided in Section IVIIII 

II. System Model and Degrees of Freedom 

We begin by presenting the wiretap channel model [24] 
with the addition of feedback in Fig. [T] A user named 
AUce wishes to transmit an encrypted binary message M — 
{rn} , . . . , m^) to a legitimate receiver named Bob, where 
TO* = {m\, ra\, . . . , ml,) G Ai for i = 1, 2, . . . , L. It will be 
helpful to think of M as being broken up into L blocks of 
length k, where k is the dimension of the encoder to follow. 
The final block can be filled by concatenating random 
bits if needed. Let us also define the blocklength n of the 
encoder. Then the coding rate is k/n. To be clear, n is the 
length of a codeword after it has been punctured. We will 
also assume that M has been compressed, so that all possible 
bit combinations are equally likely in the alphabet M. Prior to 
transmission, Alice encodes M, resulting in a collection of rj 
packets X = {x^, x'^, . . . , x^) for transmission. Bob receives 
the packets as Y through Qm, a PEC with probability of 
erasure 5. An eavesdropper named Eve obtains the packets Z, 
although through Qyj, an independent PEC with probability of 
erasure e. An obvious extension of this model is to consider 
correlated erasures in Qm and Q^; however, in this paper we 
always assume erasures are statistically independent. Finally, 
M and M are the respective estimates of M by Bob and Eve. 

The encoder and decoder exploit the independent nature of 
erased packets across Qm and Q^,. Of course, the system must 
guarantee that M = M, while at the same time making Eve 
as ignorant as possible. The authenticated feedback channel 
available to Bob plays a key role in accomplishing both 
of these endeavors. This public noiseless channel is used 
to request the retransmission of erased packets. Since it is 
authenticated, Alice is able to deduce whether Bob sent the 
request, and can detect any tampering with the data [25 1, which 
restricts Eve to passive status |26 |. Requests by Bob are public, 
and there is no secret key employed at the physical layer. The 



sole source of confusion for Eve is her own naturally occurring 
erasure pattern across QtuQ 

As mentioned in SectionU we define physical-layer security 
for this system with the cryptographic layer in mind. Crypto- 
graphic attacks often assume an attacker has the luxury of an 
error-free version of M (or even some of the plaintext), but 
our design aims to prevent this from occurring, by creating 
degrees of freedom in the attacker's knowledge of M. 

Definition 1. The number of degrees of freedom in a received 
codeword is a random variable D which takes on the number 
of encoded symbols for which an eavesdropper has no infor- 
mation. Therefore, the probabilities of all symbol values on 
these D symbols are equally likely. 

For binary codes with D = d,a codeword of length n can be 
any of 2'' equally likely codewords, each mapping to a unique 
fc-bit message in A4. Since we assume that the attacker knows 
the encoder, the maximum value of D is k, and can be shown 
to have an information-theoretic definition. Since an attacker 
has no knowledge of these bits, an average of 2^[^1^^ guesses 
must be made to obtain them. Using this reasoning, the goals 
of our physical-layer design are: first, to ensure that D = for 
Bob so that M = M; second, to make D as large as possible 
for Eve; and third, to ensure that attacks on the cryptogram 
fail if M ^ M. 

III. LDPC Codes and Stopping Sets 

We employ LDPC codes 1271 and exploit the phenomenon 
of stopping sets to obtain security from the physical layer 
This section provides limited background of LDPC codes and 
stopping sets in order to establish the foundation upon which 
to present our encoder 

Let us define a general binary LDPC code C with block- 
length N, and dimension k. Note that this k is identical to 
k from section [III but N the blocklength of the LDPC code, 
is different from n the blocklength of the encoder because 
n is the codeword length after puncturing. The parity check 
matrix H fully defines the code, and is N — k x N. We will 
find it helpful to think of H in terms of its corresponding 
Tanner graph Gc ll28l . l|29l . The set of variable nodes is 
V = {vi,V2, ■ ■ ■ ,V]s[), while the set of check nodes is 
U — (ui, M2, . . . , itAT-fc). Variable nodes correspond to the N 
bits in a codeword. Checks correspond to rows in H, where 
the set of bits that participate in the check Ui is denoted 
Mi = {j : Hij = 1} ll28l . Then the ith check is calculated in 
GF(2) as Ui = J2jeAf- ~ notation Mi.j signifies all 

bits in the zth check except the jth bit. The jth variable node 
shares an edge with the ith check node in Gc if and only if 
j E Mi- The Tanner graph for a simple example is shown in 

Fig.m 

Decoding of an LDPC codeword over a BEC can be 
accomplished using maximum-likelihood (ML) decoding ll30l . 
by solving a system of equations. However, the iterative 
message-passing (MP) decoder is commonly used due to its 
computational efficiency. We briefly explain both decoders. 

'it is noted that results in Section Ivil are provided for this system, as well 
as the more general model which allows an arbitrary number of legitimate 
receivers and eavesdroppers. 
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Fig. 2. Tanner graph for MP decoding over the BEC with a highlighted 
stopping set due to erasures at variable nodes V3 and 115. 

A. Maximum-Likelihood Decoding 

Let us consider an LDPC codeword x e C transmitted over 
a BEC and let y denote the received codeword. Note that 
Xi 6 {0,1} and y,; e {0,1, e} where e signifies an erased 
bit. We let K. denote the set of known bits in y, and K, denote 
the set of erased bits in y. Furthermore, H/c and Hj^ can 
be understood to be matrices formed by the columns of H 
indexed by /C and K., respectively. Similarly, xic and Xj^ are 
vectors composed of only the bits indexed by the respective 
sets IC and K,. 

Clearly, — Hx^ — Hjcx^ + Hj^x^, where x/c — yic, 
and thus HfcxJ^ = is known. The maximum likelihood 
decoder must then solve for the channel-erased bits Xj^ using 
the system of equations given by 

H^xl = z^. (2) 

This system has a unique solution when the erased bits are 
such that the columns of are linearly independent ||3T1 . 
We can obtain a bound from this statement which we will use 
to analyze security in the worst-case. 

Proposition 1. For a linear code C with blocklength N and 
dimension k, the ML decoder over the BEC cannot have a 
unique solution if the number of erasures exceeds N — k, that 
is if \1C\> N - k. 

Proof The rank of H/^ equals the number of linearly 
independent rows or columns of the matrix ( ll32l . pg. 244). 
Since N — k is the number of rows in H, the rank of iJ^ can 
never exceed N — k, and thus the ML decoder cannot produce 
a unique solution when \IC\ > N — k. ■ 
In fact, when the number of erasures exceeds N — k, the 
system in (|2|l will be such that the degrees of freedom in the 
ML decoder Dml > |^| — {N — k), where we achieve equality 
if there are — fc linearly independent columns in Hj^^ Il30l . 
In any case, Di\jl is equal to the difference in the number of 
erased bits, and the number of linearly independent columns 
of HjQ, and is zero if this difference is negative. This definition 



clearly satisfies the notion of degrees of freedom from Defini- 
tion [T] for this decoder Thus we see that the effectiveness of 
the decoder is strictly bounded by the redundancy of the code. 
While faster methods have been discovered for solving a Unear 
system of equations, the straightforward decoder is known to 
have complexity ((1 — R)(3 + j6)6'^N^, where R is the rate 
of the code, (3 and 7 are constants which are also a function 
of the elimination algorithm chosen to solve the system of 
equations, 6 is the erasure probability in the channel, and N 
is the blocklength of the code ll30l . 

B. Message-Passing Decoding 

Let C, X, and y hold the same definitions as for the ML 
decoder. The MP decoder is an iterative decoder based on 
the Tanner graph representation of C. The decoding process 
passes messages between U and V along the edges of Gc- One 
version of the decoder is given as Algorithm [T] (adapted from 
II3TI ). The number of degrees of freedom in the MP decoder 
Dmp is the cardinality of the smallest set of bit values that 
must be supplied in order to decode all remaining bits. If the 
decoder succeeds, then Dmp ~ 0. Clearly, this maintains the 
definition of degrees of freedom given in Definition [T| when 
restricted to this decoder, because any bit combination of these 
Dm p values decodes to a valid codeword, and each is equally 
likely without further information. A bound on the correction 
capabilities of the MP decoder is given by the following 
proposition. 

Proposition 2. The MP decoder over the BEC can correct no 
more than N — k erasures. 

Proof: In Algorithm [T] each check node can correct at 
most one variable node, and \U\ ^ N — k. ■ 
The MP decoder is suboptimal compared with the ML 
decoder, although the MP decoder has linear complexity in 
the blocklength ll28l . A more detailed comparison of the two 
decoders is offered in ll33l . 



Algorithm 1 Message-Passing Decoder over the BEC 131]. 
1: Initialize: For yi ^ e, set vi = yi and declare all such 

variable nodes as known. 
2: if (No variable nodes are known and no check node has 

degree one) then 
3: Output the (possibly partial) codeword and stop. 
4: else 

5: Delete all known variable nodes along with their 

adjacent edges. 
6: end if 

7: For each variable node Vj connected to a degree one check 
node Ui, declare Vj as known and set Vj ~ J2keJ\f- ^k- 
Jump to 2. 



C. Stopping Sets 

In order to make D as large as possible for our system when 
an eavesdropper uses an MP decoder, we would like to design 
the encoder block from Fig. [T]so that every bit erased by the 
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channel adds a degree of freedom to the decoder. Stopping 
sets provide a means of accomplishing this task. 

Definition 2 (Di, et. al. 134]). A stopping set is a set S* C 
such that all check nodes in N{S) are connected to S by at 
least two edges, where N{S) signifies the neighborhood of S 
and is defined as the set of all adjacent nodes to any member 
of S in Gc- 

Notice that the empty set, by definition, is a stopping set, as 
is any union of stopping sets. Thus, any set of variable nodes 
has a unique maximal stopping set in it0 See Fig. |2] for a 
simple example; clearly the erasures cannot be resolved using 
Algorithm [T] This gives way to the following lemma, proved 
in m. 
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Lemma 1 (Di et. al. (34^, Lemma 1.1). Let G be the Tanner 
graph defined by the parity check matrix H of a binary linear 
block code C, and assume that C is used to transmit over 
the BEC. Let A be the set of erased bits in the received 
codeword. Then, using Algorithm\l\on G, the set of erasures 
which remain after decoding comprise the unique maximal 
stopping set in A. 

Since stopping sets cause the MP decoder to fail, puncturing 
in the encoder will be done with an attempt to inflict Eve with 
stopping sets. However, the ML decoder will still succeed, 
even in the presence of stopping sets, as long as the erased 
bits have linearly independent columns in H. We account for 
both decoders in our design by using a particular ensemble of 
LDPC codes where Dmp can be made equal to Dml, thus 
ensuring secrecy regardless of the decoder used by Eve. The 
simplicity of MP decoding is also preserved for all legitimate 
receivers 

IV. Encoder 

The encoder design is based on the fact that I{M; Z) < 
I{M; X) because processing cannot increase information, and 
M — > X — > Z is a Markov process ||37l . The key idea in 
the decoder is to reduce X to the decoding threshold. In 
other words, X can be used to recover M by design, but 
if any erasures remain in Z following transmission, unique 
decodability is not possible. Proper design maximizes D for 
Eve. The stages of encoding are portrayed in Fig. |3] where 
each stage fulfills a specific purpose within the overall goals 
of obtaining secrecy and reliability. The following principles 
are addressed in the design of this encoder 

• Bits of M are hidden from immediate access in the 
decoded words using nonsystematic LDPC codes. 

• Scrambling prior to coding magnifies errors due to the 
physical layer of the communication system. 

• The error-correction capabilities of the LDPC code are 
restricted by intentional puncturing of encoded bits. (Bob 
obtains reliability through ARQ, rather than error correc- 
tion.) 

-For our purposes, we will sometimes ignore the empty set as a stopping 
set and say that a set A contains no stopping sets, meaning that the maximal 
stopping set in A is 0. 

^For further information on stopping sets as they relate to LDPC code 
ensembles, see 1351 and 1361 . 
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Bits from encoded blocks are interleaved amongst several 
transmitted packets so that a single erased packet results 
in erasures in many encoded blocks of data. 



A. Nonsystematic LDPC Codes 

Recall from Section HIl that M = {m^, m? ^ . . . , m^), where 
= {rn\,rn\, . . . , ml.) G M for i — 1,2, ... ,L. These L 
blocks of encrypted message form the input to the nonsys- 
tematic LDPC encoder with blocklength N and dimension k. 
The output of the LDPC encoder B is given as L codewords 
of length N, denoted as B = {b^ , . . . ,b^) where each 
vector 6' = (6^^, 62, . . . , 6]v)- Certainly, if the code C were 
systematic, then the bits of m* would appear explicitly in the 
encoded block 6*. For secrecy purposes, nonsystematic codes 
are employed. 

Nonsystematic LDPC coding is typically implemented as a 
two stage process to improve encoder complexity [38], |39], 
1121 . Let S be an invertible kx k scrambling matrix in GF(2), 
and let G be a A; X iV systematic generator matrix. Let m be a 
length-fc message. Then our LDPC encoding process applies 
the scrambling matrix to m as 



mS. 



(3) 



The data are then encoded using G by b — m'G to obtain a 
length-iV block of encoded data. Clearly at the decoder the 
inverse operation first requires the bits of b to be obtained 
through either MP or ML decoding. Since G is systematic, the 
bits of m' are explicit in b. The bits of m can then be found 
by applying the inverse of S in the descrambhng operation 



= m'S- 



(4) 



This process amplifies errors in the decoding process as a 
function of the sparsity of S~^. Note that can be obtained 
through e.g. LU decomposition |[32| , with modifications for 
GF(2). In our experience, randomly generated scrambling 
matrices which are nonsingular are likely to have inverses with 
just less than 50% of the entries equal to one on average. If 
S matrices are randomly generated until one can be inverted 
to obtain S~^, the resulting despreading operation is enough 
to cause even a single error in m! to result in roughly a 50% 
error rate in m as shown in Section IVIII Although this can 
be made more precise, the result is intuitive because a bit in 
TO is a linear combination of bits in to'. Thus, if there are an 
odd number of bits in error in a given combination of say TOj, 
then that bit will be in error On average, the row weight in 
is approximately fc/2, and the expectation of k/2 bits in 
error holds for any number of errors in to'. 
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Since only one {S,S^^) pair need be used by the system, 
the matrices can be generated off-line, which does not affect 
encoding and decoding complexity. However, the complexity 
of both the encoder and the decoder is increased due to the 
matrix multiplications in (O and (|4|i. Both of these operations 
are 0{k^). General systematic encoder complexity is 0{N'^) 
because G is not sparse by design 1281 . although improvements 
can be made using appropriate preprocessing as outlined in 
IJll. The encoding technique specified in |31| gives encoder 
complexity of 0(7V+g^) where g is the gap in an approximate 
lower triangular form of the parity check matrix and is less 
than N — k. The complexities for the ML and MP decoders 
ai-e given in Sections HiTaI and HiTbI as 0{N^) and 0{N), 
respectively. 

B. Puncturing 

The next step in the encoding process is to apply a punctur- 
ing pattern to each codeword in B. Let the puncturing pattern 
R & V indicate which bits in each are to be punctured. 
Recall that V is the set of variable nodes in the Tanner graph 
Gc- The punctured blocks P = {p^,p^, . . . where each 
p^ = {p\,p2, ■ ■ ■ ,Pn) are shown in Fig. |3]to have length n, 
which was defined in Section HI] to be the blocklength of the 
encoder All bits which are not punctured belong to the set Q 
so that V ~ R + Q; therefore, the length of each block in P 
is equal to \Q\ = n. The puncturing pattern is chosen in order 
to induce stopping sets in an eavesdropper's received data. 

Definition 3. A puncturing pattern R is deemed acceptable 
if and only if there are no stopping sets in R, and R + v 
contains some nonempty stopping set Sy for every variable 
node w e Q. 

Such a set R can be constructed using the random technique 
outlined in Algorithm |2] which also calls Algorithm |3] in 
order to check for stopping sets in a computationally tractable 
manner ifTTl . 



Algoritlim 2 Finds an acceptable puncturing pattern R within 

the set of all variable nodes V. 

1: Initialize: R = v, for a randomly chosen v V, and 
Q = 0. 

2: if (V\{RUQ) 0) tlien 

3: Choose another v randomly from V\{R U Q). 
4; Run Algorithm |3] with A = R + v to check for 
stopping sets. 

5: if {R + v has a stopping set, i.e. Algorithm [3] returns 
true) then 

6: Q = Q + V. 

1: else 

8: R = R + V. 

9: end if 

10: Jump to 2. 

11: else 

12: Terminate. 

13: end if 



Algorithm 3 Checks for the existence of stopping sets in a 
subset of variable nodes, A C V flT\. 



Lemma 2. The output of Algorithm\2\is always an acceptable 
puncturing pattern R as defined in Definition |5] 

Proof: We must first show that upon completion of 
Algorithm |2] there are no stopping sets in R. Assume for 
a contradiction that R has a stopping set. Then there is a bit 
w G i? which when added to R during the construction process, 
caused a stopping set to first appear. Then by Algorithm |2] 
V ^ R. This provides the contradiction. It remains to be proved 
that Algorithm |3] operates as expected. 

Proposition 3. Algorithm\3\always returns true when A has 
a nonempty stopping set, and always returns false otherwise. 

Proof of Proposition: Suppose that the bits in A were 
actually erasures over the BEC, and Algorithm [T] was used 
to decode. Realize that erasures recovered in the ith iteration 
of Algorithm [T] correspond exactly to the nodes deleted in 
the ith iteration of Algorithm |3] If all bits can be resolved 
using MP decoding then all nodes will be deleted in Algorithm 
|3] and false is returned. If, however, MP decoding returns a 
partial codeword, then Algorithm |3] will return true because 
all remaining bits have degree greater than one in the induced 
subgraph G' . Therefore, by Lemma [T] the remaining nodes 
comprise the maximal stopping set of A. ■ 

To complete the proof of Lemma |2] we must also show that 
for any v E Q, R + v has a nonempty stopping set. Since in 
Algorithm ID every w G Q is such that for some subset R' C R, 
R' + v has a stopping set, therefore R + v has a stopping set 
for any u G Q. ■ 

Thus, puncturing according to R in each for i = 
1,2, . . . , L, guarantees that every bit in each is crucial for 
successful MP decoding. 

Complexity of Algorithm |2] is linear in the blocklength N, 
because it chooses iV — 1 bits in a random order, and calls 
Algorithm [3] after each choice. The complexity of Algorithm 
[3] in the worst case, is quadratic in \U\ = N — k the number 
of check nodes in Gc- Line 5 of the algorithm will be 
repeated a maximum of ^1^1 ^ = ml+m times if a single 
node is deleted each time the line is executed. Therefore, the 
complexity of finding an acceptable puncturing pattern R is 



1: Initialize: S ^ A 

2: if {S ^ 0) then 

3: Induce subgraph G" in G using (S U N[S)). 
4: if (3 a check node in G" with degree 1) then 
5: Delete variable nodes from S which are adjacent 

to check nodes of degree 1 in G", jump to 2. 

6: else 

7: Return true. S is the maximal nonempty stop- 

ping set in A. 
8: end if 
9: else 

10: Return false. There is no nonempty stopping set in 
A. 

11: end if 
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at most quadratic in \U\, and linear in N, i.e. has complexity 
0{N\U\'^). Thus the algorithm can be used in practical system 
design to compute R off-line. 

C. Regular vs. Irregular Codes 

The overall rate fc/n of the nonsystematic and punctured 
code is a function of the rate of the systematic LDPC code, 
and \R\. Simulations have shown that the size of R is very 
much a function of the degree distribution on C, although the 
exact relationship is still unknown. 

Example 1. Let C be a regular- rate- 1/2 code with N = 1000, 
Wc — 4, and Wr — 8, where Wc and Wr are the fixed column 
and row weights of the parity check matrix, respectively. 
The size of \R\ appears to be Gaussian-distributed for this 
family of codes with a mean size of approximately 436, with 
variance roughly equal to 15. Let us examine, however, an 
irregular ensemble with the same rate and blocklength, but 
having the following edge degree distribution pair: ri{x) — 
0.32660a; + 0.11960a;2 + 0.18393a:3 + 0.36988a;^ on variable 
node weights, and xi^) — 0.78555a;^ + 0.21445x^ on check 
node weights (see |28 | pg. 664), where H is formed using the 
socket approach given in PO ]. Here the distribution on \R\ 
is much tighter, ranging from 496 to 500. The size on R is 
equal to 500 with probability roughly equal to 0.1, 499 with 
probability around 0.56, and 498 with probability near 0.26. 
Thus with some degree of confidence, we can claim that for 
this rate- 1/2 irregular code ensemble the random technique 
given in Algorithm |2] yields a puncturing pattern with size 
nearly equal (and equal in some cases) to N — k. 

As a direct result, a puncturing pattern generated for the 
irregular code of the example has a unique property. Namely, 
that for some patterns Dmp = Dml- 

Lemma 3. Let Rc denote the indices of the channel-erased 
bits of p^, and Dmp and Dml denote the degrees of freedom 
using MP decoding and ML decoding, respectively. If an ir- 
regular LDPC code is employed over the BEC with intentional 
puncturing determined by Algorithm\2\in which \R\ = N ~ k, 
then Dml = Dmp = \Rc\- 

Proof: The ML portion of this lemma follows from 
Proposition [T] i.e. that the system of equations in ^ can 
resolve a maximum of N — k erasures. Since = — k, 
any erasure by the channel is guaranteed to give a degree of 
freedom in the decoder The MP case is the same because by 
Proposition |2] the MP decoder can correct at most N — k 
erasures. Thus any bits erased by the channel (or perhaps 
another set of bits of equal size) must be guessed in order 
to decode. Therefore, the effectiveness of the ML decoder is 
equal to that of the MP decoder when \R\ = N — k. ■ 
It should be noted that if the sum of systematic bits in 
R -\- Rc is less than D, a brute-force attack on these bits 
might be more appealing to an attacker than decoding the 
entire codeword. To cover this possibility, D can be thought 
of as the minimum between the number of systematic bits 
missing to the eavesdropper, and the degrees of freedom in the 
decoder. Although, in practice the number of systematic bits 



removed through puncturing or erased by the channel usually 
exceeds the degrees of freedom in the decoder. 

D. Interleaving 

The role of the interleaver is to ensure that all packets 
must be obtained error-free for successful decoding in any 
and all encoded blocks. To do this, we construct a collection 
of rj packets to be transmitted X — (x^,a;^, . . . ,x^) in the 
following manner Alice defines a a small positive integer 
which is assumed to divide n (not necessary but convenient 
for notation and analysis) such that 77 = n/a, and the ith 
packet is formed as 

i / i i ^ \ 

X — \Xi, X2, ■ . ■ , X^iL) 

~ (P(i-l)a+l' ■ ■ • TPiajP(i-l)a+n ■ ■ ■ tPioj ■ ■ ■ ^ 

P{i-l)a+n ■ ■ ■ ^Pia)- (5) 

for i — 1,2,..., 7]. In words, we form the packet x^ by 
concatenating a bits from each encoded and punctured block 
for j — 1,2, ... ,L. Therefore, a single erased packet causes 
a erasures in each punctured block at the decoder Since we 
have designed R so that any erasure of a bit in p^ results in 
MP decoding failure, we can be assured that any erased packet 
will cause all L blocks to fail in the MP decoder due to this 
interleaving. If R can be designed so that |i?| = — fc, then 
the same result holds for ML decoding by Lemma |3] 

Corollary 1. If \R\ = N — k and packets are formed 
according to Q, then the number of degrees of freedom in 
the ith codeword is D\jj^ = D\jp = = a\Rp\ for 

i = 1,2,...,L, where Rp is a list of all erased packets. 
Furthermore, D\j^ = D\.jp\li,j. 

Proof: The first part is trivial and follows directly from 
Lemma [3] and (|5]l. We see that D\i^ — D^^p because a 
missing packet means exactly a degrees of freedom in each 
block, irrespective of decoder choice. ■ 

V. Decoder for Legitimate Users 

The decoder for legitimate users is simply the inverse of all 
encoder operations. A user can decode all data as long as every 
packet is received error-free. Legitimate users make use of 
the authenticated feedback channel to request retransmission 
of packets erased in the main channel during transmission. 
Time delay and queueing aspects of ARQ protocols are weU- 
addressed in the literature, e.g. pOl and its references. The 
decoding process is shown pictorially in Fig. |4] Once all 
packets are obtained in Y , the bits are deinterleaved back into 
their intentionally punctured codewords P. The MP decoder 
is then guaranteed to decode the puncturing in linear time 
with the blocklength to obtain B |28|, and the inverse of 
the scrambling matrix is applied to the systematic decoded 
bits using ^ to obtain M. Once all packets are known, this 
decoder guarantees that M — M. 

VI. Security against Wiretappers 

An eavesdropper can decode the data using Bob's decoder in 
Fig. m if all packets are obtained error-free. The independence 
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Fig. 4. Detailed block diagram of Bob's decoder. Number and size of blocks 
or packets are indicated at each step. 



of Qm and Q^, however, prevents Eve from receiving packets 
as a function of S and e, the respective probabilities of erasures 
in Qm and Qw Let R^f be the event that a single packet 
is received error-free by at least one eavesdropper after all 
retransmissions of the packet requested by any legitimate 
receiver have been filled. This section shows the blanket 
security effect of our encoder over nearly the entire region 
of possible {S, e) pairs by completely characterizing D for the 
system. We first show D to be binomially distributed, and then 
provide security results for all scenarios studied as a function 
of Ref- Expressions for R^f follow for the wiretap channel 
case, the broadcast scenario with m intended receivers, the 
case with I collaborating eavesdroppers, and the most general 
case with both m legitimate receivers and I collaborating 
eavesdroppers. For cases beyond the simple wiretap scenario, 
all TO legitimate receivers are given access to the feedback 
channel, and all I eavesdroppers are restricted to passive status 
through authentication on the channel. Retransmissions in the 
ARQ protocol are executed only after requests are received 
from all legitimate parties. 

Since proper design of the encoder was shown to cause 
D to have the same realization for every codeword and be 
independent of the decoder in Corollary [T] we understand D to 
represent the degrees of freedom in every codeword assuming 
either the ML or MP decoder for the rest of the paper 



Theorem 1. If \R\ = N — k in the encoder, then k/n — 1, 
and E[D] = H{X\Z) = (1 - Pr(i?e/))n. 

Proof: Since \R\ = N - k, then n ^ \Q\ ^ N - \R\ ^ k. 
Let us consider the model for a single codeword (L = 1). We 
can then assume rj independent uses of a PEC with packets of 
length a. Let X be the input to the channel, and Z the output, 
where a bits are erased with probability (1 — Pr(i?e/)) or 
received error- free with probability Pr(i?e/) with each channel 
use. The input distribution on a bits is uniform because the 
input distribution on M is uniform, and the encoding function 
of rate one forms a bijection on k bits. Thus, H{X) — a. 
Clearly H{Z\X) = H{1 - Pr(i?e/)), and H[Z) = H{1 - 
Pr(i?e/)) +Pr(i?e/)a (see [37j, pg. 188). Then, 

H{X\Z) = H{Z\X) - H{Z) + H{X) (7) 
= «(1-Pr(i?e/)). (8) 

Therefore, with -q independent uses of the channel (one for 
each packet), H{X\Z) = {l-Fr{Ref))i]a = (1 -Pr(i?e/))n. 
Since the mean of a binomial random variable is the product of 
its two parameters, E[D/a] = (1 — Pr(i?e/))7?, and therefore 



E[D] = (1 - Pr(i?e/))rya = (1 - Pr(i?e/))n. 



(9) 



Thus we see that E[D] is equal to the information-theoretic 
value of equivocation when the puncturing is accomplished so 
that \R\ — N — k. Therefore, perfect secrecy is obtained when 
E[D] = k. Of course, this occurs when Pr(i?e/) = 0, which 
implies that the eavesdropper obtains zero packets. Thus, this 
scheme cannot achieve perfect secrecy. However, it can be 
shown using the achievable rates in flU that E[D] approaches 
the maximum achievable equivocation for k/n — 1. These 
results now require expressions for Pr(ii;e/) to complete the 
security characterization in D. 



A. General Security Theorems 

Lemma 4. The random variable D which governs the number 
of degrees of freedom in a received codeword is a scaled 
binomial random variable. Thus, for 1 < /3 < arj, 

Pr(i5>/3) = i- n (l-Pr(i^e/)rPr(i^e/r-^ 

(6) 

Proof: By definition, packets are erased for eavesdroppers 
with probability (1 — Pr(i?,e/)). Since there are -q independent 
Bernoulli trials, each identically distributed, the sum of erased 
packets \Rp\ is a binomial random variable with parameters 
ri and (1 - Pr(i?e/)) 141J. Then, by Corollary |3] D = a\Rp\ 
where a bits from every codeword are sorted into each packet. 
Thus, 13 is a scaled binomial random variable; specifically 
D - Bin(r/, 1 - Pr(i?e/))a- Since D = a\Rp\, then D > P 
implies that a\Rp\ > (3. Clearly, this requires that \Rp\ > 
\(3/a]. The result in (|6|l follows directly. ■ 
The expected value is therefore known due to the binomial 
structure of D. We also prove an important property in regards 
to E[D]. 



B. One Receiver and One Wiretapper 

The simplest case matches the setup given in Fig. [U and 
was originally proved in ifTTl . 

Lemma 5 (Harrison, et. al. ifTTI ). In the wiretap channel 
scenario with feedback, the probability that Eve obtains a 
single transmitted packet is given as 

PliRef) = (10) 

1 — eo 

Intuition of security for the wiretap channel in terms of D 
can be gained by using the expression for Pr(i?e/) in ( fTOl ) 
to plot ^ for different values of /3, a, and rj. Fig. |5] shows 
PiId > 1) for 77 = 100. Note that when /3 = 1, a is not 
required to evaluate (|6). This case is provided to show the 
plateau and falloff regions in the {S,e) grid for Pt{D > /?). 
Throughout the plateau region, stopping sets occur in the MP 
decoder and the ML decoder has linearly dependent columns 
in i/^ with probability very close to one. The results of 
Lemmas |4] and |5] give Pr(£' > 1) = 1 — (t^^) ' which can 
be examined in the limit as r/ ^ cxo. It is immediate that except 
for when 5 = 1 or e = 0, Pt{D > 1) goes to one for all {S, e) 
pairs as rj gets large. From Theorem [T] if = iV — fc, then 
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Pr{D > 1) with T] 




Pt{D > 50) with a = 1 and 77 = 5000 








Fig. 5. Pr(D > 1) when rj = 100, as a function of the respective erasure Fig. 7. Pr(Z) > 50) when a = 1 and rj = 5000, as a function of the 
probabihties in Qm and Qw, <5 and e. respective erasure probabilities in Qm and Qw, S and e. 



Pr{D > 1) with T] = 5000 




Fig. 6. Pr(D > 1) when rj = 5000, as a function of the respective erasure 
probabihties in Qm and Qw, <5 and e. 



?7 = ^ = ^. Clearly grows with fc; therefore, the probability 
of security approaches one as k gets large. Since large k 
necessitates large n and N, the same holds true for these 
blocklength parameters. Codes with blocklength N — 10, 000 
are deemed practical by today's standards. For a = 1 and for 
a carefully chosen R with size roughly 5000, then 77 w 5000. 
This case is shown in Fig. |6] where as expected, all nontrivial 
{5, e) pairs show Pi{D > 1) w 1. 

But of course, a single degree of freedom is easily guessed 
in an attack. Let us examine the effects on security when (3 
takes on a larger value. This perspective is provided in Fig. |7] 
where rj = 5000 and /3 = 50 with a = 1. As can be seen in the 
figure, there exists a cutoff region, where {S, e) pairs within the 
plateau region will experience at least (3 degrees of freedom 
with probability very close to one, while pairs outside the 
region will have D < (3 with probability close to one. Owing 
to the severity of the cutoff, the threshold can be approximated 



by setting Pi{D > f3) = 0.5 in (|6]l, and deriving a function of 
6 and e. This technique provides a unique threshold for each 
specific set of values for (3, a, and rj. 

Finally, let us inspect the E[D] according to Theorem [T] for 
this case. 

E[D\ = - 7-Va = - j-n. (11) 

1 — eo 1 — £0 

This function grows linearly with n which is equal to k when 
|i?| = — k. Thus, to drive D to a large number in practice, 
we simply must use a larger dimension in the encoder Note 
that in the expectation the choice of a does not affect security; 
although, a — 1 allows 77 to be as large as possible, which 
provides more confidence that D « E[D] by the law of large 
numbers (f4r\, pg. 193). 

C. Multiple Intended Receivers 

In this section, we move past the single user case, and ad- 
dress the more general broadcast channel originally presented 
in B2I . There is also a single eavesdropper with probability 
of an erased packet equal to e as before. This case allows us 
to understand the repercussions on security of having more 
than one user for which we allow feedback requests. We can 
characterize security using Lemma |4] and Theorem [T] in the 
m user case by finding an expression for Pr(i?e/). Recall 
that Ref is the event that Eve receives a single transmitted 
packet as before. Let each user have an independent PEC 
with probability of erasure in the ith user's channel as Si for 
i ~ 1, 2, . . . , TO. The following lemma is necessary to obtain 
Pr(i?e/). 

Lemma 6. If Qi,Q2t ■ ■ ^'re independent geometri- 
cally distributed random variables with success parameters 
Ai, A2, . . . , Am, and Tm = max(Qi, (32, • ■ • , Qm), then the 
probability mass function on T„i is given as 

m m 

fm(t) = - (1 - A,)*) - 11(1 - (1 - A.)*-^). (12) 

i=l j=l 
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Proof: The proof is omitted for the sake of brevity, but 
follows from an inductive assumption on m. ■ 



Armed with this lemma, we can obtain Pr(i?e/) for the With these pieces in place, we commence proving the 
broadcast channel case. lemma. 

oo 

Lemma 7. Using the broadcast channel with m independent Pr(i?e/) = Pr(i?e/[W^ = w) Pr(VF = w) 
legitimate receivers and an eavesdropper w=i 



1 - e 
- e5i5j 



^ T 

i<j<k ^ 
(-1)™+! 



1 -e 



1 - e 



where the notation i < j means the summation traverses over 
all pairs such that i,j £ {1,2, . . . , m} and i < j, and 
similarly for i < j < k, etc. 

Proof Note that if the zth user requests a single packet 
until it is received, and in each transmission it is received 
with probability di, then the total number of times the user 
must request the packet is governed by a geometric ran- 
dom variable with success parameter 1 ~ Si 141]. Define 
Wi , W2 , ■ ■ ■ , W,n as the geometric random variables govern- 
ing the total number of transmissions necessary for users 
1,2, ... ,m, respectively, to obtain the packet error- free. Then, 
let W = max(Wi, W2, . . . , Wm). W governs the total number 
of transmissions necessary for all legitimate parties to receive 
the packet. 



By Lemma |6] we know that 

m m 

Pr{W ^w)^ - ST) - 11(1 - Sr') 
i=i j=i 



(13) 



because the success parameter for VF^ is 1 — 6i for i = 
1,2, ... ,m. Finally, we point out that 



i<j<k 



i=l 1=1 

which implies that 



(14) 



Pr{W = w) = il-Y^Sr + J2{5,S,r-...+ 

y i^l i<j 
m \ 

(-ir(n^'r + 

1=1 / 

m 

2—1 i<j 
rn \ 

{-iy-+\l[sr-'] 

1=1 j 



5^(1-6-) n^-'^D- 11(1- '^r') 



j=i 



Y^{l-n\y^6r\^-^^y 
Y^{6,8,r'\i-b,8,)^--- 



(-ir+'(n'^^r"'(i-n'^^) 



i=l 

00 



i=l 



w—l 

00 



E^E(i-^^)(^'^.r 



i<3 



+ (-1)' 



nr=i'5. 



£(i-6-)(n^.)^ 



E^ E^r-E(^^^ 



i=l 



w=0 



^ 1 - SiSj 



5,5 



^■iu=0 



w=0 



+..- + (-ir+iiJ%^x 
n»=i 5^ 

/ 00 m 00 711 \ 

E(n^^r-E(^n^^r 



\w—0 i—1 

l-e 



w=0 1=1 

l-e 



(-1) 



m+l 



1 - e 



- eSiSj 



+ 



1 - n™ 1 5, 



(15) 



D. Collaborating Eavesdroppers 

In this section we consider the case with I eavesdrop- 
pers working together in order to obtain the cryptogram M, 
each with a possibly unique probability of packet erasure 
£1,62, ... All are assumed to obtain packets through inde- 
pendent PECs. It is simpler to first consider a single legitimate 
user Bob with probability of packet erasure S. Then the general 
result which assumes m friendly parties with I collaborating 
eavesdroppers comes easily. 

Lemma 8. For I eavesdroppers and a single legitimate re- 



11 



ceiver. 



Error propagation for incorrect guesses 



Pr(i?e/) 



in 



i=l ' 



1 



(16) 



Proof: The proof is straightforward if we note that 
collaborating eavesdroppers receive a single sent packet if at 
least one of them obtains the packet error-free. Let W be 
a geometric random variable with success parameter 1 — (5. 
This governs the number of transmissions for each packet. 
Therefore, 



w=l 



Pr(i?e/|T^ = w) Pi{W = w) 
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Fig. 8. The simulated en'or rates in Eve's decoded cryptogram A/ when 7 
errors are made in guessing bit values for D degrees of freedom in Eve's 
received codewords. 



This answer provides an easy bridge to an extremely general 
result. 

Corollary 2. For the scenario with m intended parties and I 
eavesdroppers with similar notation as before, 



Pr(i?, 



ef) 



= (1-0 



1 



■ =1 



i<3 



1 



- e'6,S 



where 



nl 



(-1) 



m+1 



=1 ' 



Proof: This proof is not included for the sake of brevity, 
but is nearly identical to the proof of Lemma Q with slight 
alterations as indicated by the proof of Lemma |8] to allow for 
multiple eavesdroppers. ■ 



VII. Cryptographic Security Enhancements 

The probabilistic security analysis in Section |VI] assumes 
that attacks on the cryptography become more difficult or 
completely infeasible as D gets large. It remains to show the 
effect of the coding scheme on attacks of the cryptography. 
As an example, fast correlation attacks on stream ciphers are 
known to be possible, even if the cryptogram is error-prone. It 
was noted in |[8|, Q, HO'I that specific attacks from [7| were 
made more difficult, and in some cases impossible due to error 
rates in the cryptogram beyond a certain threshold. Certainly 
as bit error rates approach 0.5 in the cryptogram, attacks of 
the fast-correlation variety break down completely. 

Let P = . . . be the collection of punctured 

codewords obtained by Eve, where p' = (j)\,p\, . . . ,p\^), 
and let B = (6^, 6^, . . . , be the decoded codewords, 
where V = {b\,b2, ■ ■ ■ ,b]^). Finally, define the implied block 
structure of Eve's decoder output as AI — [rh^ ^w? , . . . , rh'"), 
where to* = {iri\, rh\, . . . , rh\). Each channel-erased bit in p^ 



yields a degree of freedom in V, and complete recovery of 
6* requires that D bits in be guessed correctly. If a guess 
is incorrect, there will be at least as many errors in 6* as 
the minimum distance of the LDPC code. The descrambling 
process in ^ magnifies any errors in V to an expected bit 
error rate of 0.5 in to*. Therefore, since all guesses are equally 
^ likely, a brute-force attack on D bits must be accomplished to 
obtain each to'. 

Simulations of the end-to-end encoder and decoder clearly 
(18)indicate the expected bit error rate in M of 0.5 for an incorrect 
guess. Simulations were performed using the irregular LDPC 
code of Example [T] with N = 1000 and k = 500. Puncturing 
patterns used were such that \R\ > 498 bits. S was formed 
randomly by setting roughly half of the entries equal to one 
until such a matrix was invertible using the LU decomposition 
in GF(2). Let 7 be the number of bits in Eve's guess which are 
incorrect. We offer simulation results for 7=1,2, 3, 4, 5, 10, 
15, 20, 25, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, and 400 in 
Fig. H] Each 7 value was tested 300 times on both the MP and 
ML decoder, while a new puncturing pattern R was generated 
every 10 experiments, and a new code from the ensemble was 
selected every 30 experiments. All tests produced error rates 
in between 0.414 and 0.578 in M, while the mean depicted a 
0.5002 bit error rate with no noticeable difference between MP 
and ML decoders, or between 7 values, as Fig. [8] indicates. 

These results imply that unless D bits are guessed exactly, 
the cryptography must be attacked with an average bit error 
rate of 0.5 in AI. We can certainly expect such an attack to fail 
for fast correlation attacks on stream ciphers, but the notion 
that any attack on a cryptosystem could absorb such error rates 
and still succeed is obviously shortsighted. However, since an 
attack could feasibly be staged using a single block of AI, we 
will only guarantee failure of the attack if every block in AI is 
incorrect. Using similar logic, it can be said that if an attack 
would succeed using the error-free ciphertext AI, then it may 
fail even if a single block in M is in error 
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Theorem 2. Define the complexity of a cryptographic attack 
to be Ca- l^st D be the degrees of freedom of each of L blocks 
in B. Then the expected complexity CpL of a successful attack 
on the system is bounded as 

2^[-°l(l - 2-i/^)Ca < CpL < 2^[-°1(2-i/-^)Ca. (19) 

Proof: By Corollary [T] each codeword in B has the same 
number of degrees of freedom. Thus, E[D] is the average 
number of bits that must be guessed in each of L punctured 
codewords in P. Assume that an attacker guesses bit patterns 
on all codewords in P simultaneously. The correct bit patterns 
of the channel-erased bits in the L codewords P are uniformly 
distributed over 2^1^! possibilities in each block. The lower 
bound is formulated by the expected number of guesses until 
at least one of L codewords is found. Model the correct 
bit patterns in the L codewords as i.i.d. discrete uniform 
random variables on {0, 1, ... , 2^[^1-1}, say Ui, C/2, • . • , Ul- 
Without loss of generality, assume that an attacker begins 
by guessing zero for each Ui and proceeds in an orderly 
fashion. Then, the expected number of guesses until at least 
one is correct is given by E[mm{Ui,U2, ■ ■ ■ ,Ul)]- Thus, 
we calculate Pr(min(t/i, C/2, . . . , ?7l) > z) = Pr(C/i > 
z,Pr([/2 > z),...,Ul > z) = (Pr(J7i > z)(Pr(t/2 > 
z)... (Pr([/i > z) - 

Now, solve for z in Pr(min([/i, C/2, . . . , Ul) > z) = 0.5 for 
a close bound on the expectation to get the lower bound. 

The upper bound is calculated similarly, but we assume that 
all patterns must be guessed in order to guarantee success, 
therefore, the bound is given by finding the z that solves 
Pr(max(C/i, C/2,..., C/l) < 2) = 0.5. ■ 

As a check on these bounds, for L = 1 we expect 2^[^1^^ 
guesses on average for a successful attack. In this case, both 
bounds meet at 2^[^l~^Cyi, as expected. Although these 
bounds are helpful, when L > 1 the bounds are not as tight, 
and thus provide limited insight into the true increase in com- 
plexity of the attack. More than likely, an attack will require at 
least a certain number of consecutive blocks in M to execute 
successfully |7|. Clearly a 0.5 bit error rate in any block 
would destroy an attack with these requirements. Therefore, 
the upper bound in ( fT9] l serves as a good approximation to 
the expected amount of work necessary to complete the attack, 
with L being set by the attack specifications. Thus we see, that 
our system appends a multiplier which is exponential in E[D\ 
to the complexity of a cryptographic attack through practical 
physical-layer security. 

VIII. Conclusions 

In conclusion, we have presented the security metric of 
degrees of freedom D in an eavesdropper's received code- 
words, and applied this metric to a physical-layer coding 
scheme to show cryptographic security enhancements due to 
channel coding. The coding scheme relies on the nature of 
independent packet erasure channels and ARQ to provide 
secrecy and reliability, respectively. End-to-end details of the 



encoder and decoder were provided. Design criteria were 
specified to maximize Z) in a maximum-likelihood attack 
as well as a message-passing attack. This involved security 
performance comparisons of LDPC codes with varying degree 
distributions, where irregular codes were shown to outperform 
regular codes in maximizing D. The expected value of D 
was also shown to be equal to H{X\Z) in our encoder 
Probabilistic security results were obtained and made general 
so as to apply to multiple receivers and multiple collaborative 
attackers. Simulation results were provided which show that 
unless an attacker can guess D symbols in the received data 
correctly, the system yields a bit error rate of 0.5 in the 
cryptogram, thus necessitating a brute-force attack on D bits 
for each codeword. The end result on the expected increase 
in attack complexity on the cryptosystem due to our scheme 
is a multiplier which is exponential in E[D\. The system 
was shown to provide cryptographic security enhancement, 
even when eavesdroppers have an advantage over legitimate 
receivers in signal quality. 
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